From 3aa6a2b940183547f261581e8371a3f328f234b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Chalk?= <matej.chalk@flowup.cz>
Date: Thu, 25 Sep 2025 16:49:02 +0200
Subject: [PATCH] ci: fix release workflow - git push, split oidc from custom
 github app

---
 .github/workflows/publish.yml | 45 +++++++++++++++++++++++++++++++++++
 .github/workflows/release.yml |  7 +++---
 nx.json                       |  2 +-
 3 files changed, 49 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 000000000..e3896afee
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,45 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - v*.*.*
+
+concurrency:
+  group: publish
+  cancel-in-progress: false
+
+# configured as trusted publisher (OIDC)
+# https://docs.npmjs.com/trusted-publishers
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  NX_NON_NATIVE_HASHER: true
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
+jobs:
+  publish:
+    name: Publish packages
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - name: Clone the repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Configure Git user
+        # https://github.com/actions/checkout/blob/main/README.md#push-a-commit-using-the-built-in-token
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .node-version
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Publish packages to npm
+        run: npx nx release publish
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dcd195d2b..d60e37bea 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,7 +11,7 @@ concurrency:
 
 jobs:
   release:
-    name: Publish packages
+    name: Version and release
     runs-on: ubuntu-latest
     environment: release
     env:
@@ -38,7 +38,6 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ steps.app-token.outputs.token }}
-          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
@@ -46,7 +45,7 @@ jobs:
           cache: npm
       - name: Install dependencies
         run: npm ci
-      - name: Version, release and publish packages
-        run: npx nx release --yes
+      - name: Version, release and generate changelog
+        run: npx nx release --skip-publish
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/nx.json b/nx.json
index 5f3c675ac..959979ed1 100644
--- a/nx.json
+++ b/nx.json
@@ -332,7 +332,7 @@
       "push": true,
       "pushRemote": "origin",
       "tag": true,
-      "commitMessage": "release: {version} [skip ci]"
+      "commitMessage": "release: {version}"
     },
     "version": {
       "conventionalCommits": true,